Remote Administration | Wayne Zimmerman's Blog

Posts Tagged ‘Remote Administration’

How to Set Permission on a Service Using Subinacl

February 9th, 2010

Wayne Zimmerman

A couple of months back I was installed some communication software that made a VPN connection to the main server. It used OpenVPN to establish the connection and worked fine as long as your were an administrator on the PC. As I researched it further it installed a service and required that service to run on demand when the user launch the program. Since your standard limited user does not have privileges to start and stop services the application would fail to connect to the server.

So now the question becomes, how do you add permissions to a service?

Microsoft has an answer with a little known command line application called subinacl. This application allows you to view and edit security information for files, registry keys, and services. This can be handy if you are writing a script to change permissions on registry keys or files but the real power lies within the ability to edit the security information on services.

The syntax for subinacl: SUBINACL /SERVICE \\MachineName\ServiceName /GRANT=[DomainName\]UserName[=Access]

The Access parameter is broken down like this:
F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands
For my example I just needed to allow the Domain Users group access to run the OpenVPN service.

subinacl /service OpenVPN /GRANT=DOMAIN\Domain Users=TO

You may need to execute this from the folder where subinacl.exe is located. Also if it is running the command on a local system you can just type the name of the service and not the UNC path to the service.

Download subinacl.exe from Microsoft
For more information about this command please visit: http://support.microsoft.com/kb/288129

Posted in Tech

Tags: Command Line, Domain, Permissions, Registry, Remote Administration, Security, Service, subinacl, subinacl.exe

No Comments »

Weekly Terminal Services Connection Report using VBS

June 29th, 2009

Wayne Zimmerman

A few weeks ago we had some state auditors come by and mention that we should review our logs for any sort of outside / vendor access. I knew that going to each server and reviewing the logs manually would be very time consuming and not really provide solid documentation that it was done. I decided that the only way to solve this problem was with a report of some nature. I fired up my trusty Crystal Reports and started to view the logs using that, once I got in to more I realized that when I added the description field of the event log it always crashed Crystal Reports. This left me going to plan B which is writing the reports from scratch using Visual Basic Scripting language.

I already knew that you can use VBS to connect to WMI (Windows Management Interface) and view different parts of the system including the event log, so I spent the morning writing the report and parsing it down to the detail that I really needed. Then I decided to take it to the next level by adding in recursion for multiple servers and also set it up to send an HTML email so it is easy to review every week. Why every week you may ask, well in looking at my event log on my domain server I noticed that I start losing Security events at about 10-14 days out since it is authorizing so much, and a weekly task is a very manageable one.

Script Configuration

Configure the servers that this script will report on. Modify the Servers array for each server that needs to be checked. (Note: all servers need the same login credentials for the script to work)
Find the objMessage.From field and update it with who the email is coming from
Find the objMessage.To Field and update with the email address of the person who will be receiving the report, if you have multiple addresses to send to separate them with a semi-colon (;)
Find the (“http://schemas.microsoft.com/cdo/configuration/smtpserver”) = “smtp-relay.waynezim.com” and update this with your SMTP server, if your server requires authentication you will need to modify this script to include that, a simple Google search should show you what needs to be changed.
This script should be setup to be a scheduled task on one of your servers, the credentials used in setting up the job will be used to connect to the other servers, this account needs to exist on all servers to view the Security Event Log and make the report.
To setup a scheduled task, go to your Control Panel, open Scheduled Tasks, right click New > Scheduled Task, name it, then right click and modify the Properties, Browse to where the script is saved, set the Run as at the bottom for the user that exists on all Servers and set the password. Then go to the Schedule tab and set it to Weekly and change it to run when you want it to.

^?Download RemoteConnectionsReport.vbs

Dim objWMI, objEvent ' Objects
Dim strComputer ' Strings
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents
'--------------------------------------------
' Server List to Parse Logs
Dim Servers(5)
Servers(0) = "server1"
Servers(1) = "server2"
Servers(2) = "server3"
Servers(3) = "server4"
Servers(4) = "server5"
Servers(5) = "server6"
'--------------------------------------------
' Email Body Heading
HTMLMsg = "<html><body><h3>Remote Desktop Connections from " & cDate(Now() - 7) & " to " & cDate(Now()) & "</h3>"
HTMLMsg = HTMLMsg & "<table border=1><tr><td><b>Computer Name</b></td><td><b>Logon Type</b></td><td><b>Remote IP</b></td><td><b>Date / Time</b></td><td><b>User</b></td></tr>"
'--------------------------------------------
' Next section creates the file to store Events
' Then creates WMI connector to the Logs
 
'Range Variable - Out of Loop for Common Report Time
WeekAgo = cDate(Now() - 7)
 
'Start Each Computer Loop
For Each strComputer in Servers
' --------------------------------------------
' Set your variables for Events Loop
intEvent = 1
intRecordNum = 1
 
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security' AND EventCode = 528 AND TimeWritten > '" & WeekAgo & "'")
' -----------------------------------------
' Next section loops through ID properties
intEvent = 1
	For Each objEvent in colLoggedEvents
 
	HTMLMsg = HTMLMsg & "<tr><td>" & objEvent.ComputerName & "</td>"
	LogonType = RTrim(Mid(objEvent.Message,InStr(objEvent.Message,"Logon Type:")+12,2))
	If LogonType = 2 Then HTMLMsg = HTMLMsg & "<td>Interactive</td>" End if
	If LogonType = 3 Then HTMLMsg = HTMLMsg & "<td>Network</td>" End if
	If LogonType = 4 Then HTMLMsg = HTMLMsg & "<td>Batch</td>" End if
	If LogonType = 5 Then HTMLMsg = HTMLMsg & "<td>Service</td>" End if
	If LogonType = 7 Then HTMLMsg = HTMLMsg & "<td>Unlock</td>" End if
	If LogonType = 8 Then HTMLMsg = HTMLMsg & "<td>Network using Clear Text</td>" End if
	If LogonType = 9 Then HTMLMsg = HTMLMsg & "<td>New Credentials</td>" End if
	If LogonType = 10 Then HTMLMsg = HTMLMsg & "<td>Remote Interactive</td>" End if
	If LogonType = 11 Then HTMLMsg = HTMLMsg & "<td>Cached Interaction</td>" End if
 
	IPlen = InStr(InStr(objEvent.Message,"Source Network Address:")+24,objEvent.Message,"	") - InStr(objEvent.Message,"Source Network Address:") - 28
	RemoteAddress = RTrim(Mid(objEvent.Message,InStr(objEvent.Message,"Source Network Address:")+24,IPlen))
	HTMLMsg = HTMLMsg & "<td>" & RemoteAddress & "</td>"
	EventTime = Mid(objEvent.TimeWritten, 5, 2) & "/" & Mid(objEvent.TimeWritten, 7, 2) & "/" & Mid(objEvent.TimeWritten, 1, 4) & " " & Mid(objEvent.TimeWritten, 9, 2) & ":" & Mid(objEvent.TimeWritten, 11, 2) & "." & Mid(objEvent.TimeWritten, 13, 2)
	HTMLMsg = HTMLMsg & "<td>" & EventTime & "</td>"
	HTMLMsg = HTMLMsg & "<td>" & objEvent.User & "</td></tr>"
	intRecordNum = intRecordNum +1
	IntEvent = intEvent +1
 
	Next
Next
 
Set objMessage = CreateObject("CDO.Message")
objMessage.Subject = "Remote Connections Report: " & cDate(Now())
objMessage.From = "root@waynezim.com"
objMessage.To = "waynezim@waynezim.com"
objMessage.HTMLBody = HTMLMsg
'==This section provides the configuration information for the remote SMTP server.
'==Normally you will only change the server name or IP.
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
'Name or IP of Remote SMTP Server
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp-relay.waynezim.com"
'Server port (typically 25)
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMessage.Configuration.Fields.Update
'==End remote SMTP server configuration section==
 
objMessage.Send
WScript.Quit

Report Preview
If you need help decoding what Logon Type really means check out this great article.

Posted in Code

Tags: Audit, Code, Email, Event Log, HTML, Remote Administration, Remote Desktop Connection, Report, Security, SMTP, Terminal Services, vbs, VBscript

No Comments »

How to Remotely Import and Export Registry Settings with Multiple Computers

June 9th, 2009

Wayne Zimmerman

Following up to my article about different ways you can manage your computers remotely, I wrote about modifying the registry across the network and explained how that could simply your IT world. Now I am going to show you a neat trick that can save you from running around and changing different registry keys on every computer, and let your fingers do the walking for you.

The Microsoft Registry Editor is one of the most powerful applications in the Windows system, mostly because it controls all the other settings for all the other programs installed on the computer. Even better is the fact that it will allows you to import and export even when you are accessing the computer across the network. For my example here I will be exporting system settings for Adobe Acrobat Reader and importing them on another machine. This would be the same process for any other application or system preference that is stored in the registry.

Open up the registry editor by going to Start > Run and typing regedit then press OK
To open up another machines registry just go to File > Connect Network Registry… You can open several computers registry all at the same time. You will need to open all the computers registry to be able to import the registry settings.
Now browse to the key that you would like to Export, then right in the treeview on the left, right click and select Export. Now save it some where like your desktop where you can easily find it again. This makes a .reg file that you can import to your computer or others.
Now go to your File menu and select Import, it will prompt you for the location of the file then press Open on the dialog box. Then it will show you a selection of the several PCs registry that you have open, you can select one or as many computers as you would like to import the registry setting to, it will import it to the same location you exported it from. Depending on the number of computers you selected you should get as many confirmations that it was imported correctly.

It’s that simple and you have now updated registry settings for several computers without having to leave the comfort (or discomfort) of your desk chair. This is perfect to update any setting that is stored in the registry and is constant across all the workstations. Now remember admins, work smart not hard.

Posted in Tech

Tags: regedit.exe, Registry, Remote Administration

No Comments »

How to Remotely Manage Workstation in Your Network

May 7th, 2009

Wayne Zimmerman

You would be surprised at how often I solve a users issue without having to leave my desk. Users typically calls me about issues about how they need an icon, need a printer job canceled, or can’t find the file they are looking for. Here are some helpful methods that you can use your environment to fix problems without leaving your desk.

Using Hidden Drive Shares
This is the one of the easiest to use and the most flexible to help you manage files on remote workstations. By default Microsoft Windows shares hard disk drives as a hidden share that only administrators can access. When you are setting up your domain you basically centralize the user authentication so now you have an administrator account on all the computers in your domain. This does require that file and print sharing is turned on in the Windows Firewall but for most environments this is most likely already on. To enable it from command line just type netsh firewall set service type = fileandprint mode = enable in command line window or run box. To configure it using Group Policy follow the these instructions

Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.
Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.
In the details pane, double-click Windows Firewall: Allow file and printer sharing exception.
In the Windows Firewall: Allow file and printer sharing exception dialog box, on the Settings tab, click Enabled or Disabled.

To access these shares you need to go to the UNC path of the computer followed by the drive letter and a dollar sign. Ex: \\computername\C$ and bam there is the entire drive of that computer. Now you can browse in the Documents and Settings and the user and add the icon on the desktop all from your computer. This should work for any Microsoft Windows since 2000 including server operating systems.

Remote Microsoft Management Console
If you are not familiar with Microsoft Management Console or MMC then you need to be. It is a unified management console that allows you to adjust not only settings on your computer but remote ones as well. To use this command remotely you need to enable “Remote Administration” in the Windows Firewall this can be done by running the following command: netsh firewall set service type = remoteadmin mode = enable or you can enable it using group policy by following these Microsoft steps: Microsoft Article

Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.
Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.
In the details pane, double-click Windows Firewall: Allow remote administration exception.
In the Windows Firewall: Allow remote administration exception properties dialog box, on the Settings tab, click Enabled or Disabled.

Once you have the exception in place you can run different commands remotely either by accessing a menu with the console or starting it from command line to open a computer. To start the Computer Management Console from command line just type compmgmt.msc /computer:computername in your run box or at the command line and it should automatically open the Computer Management console to that remote computer. Now you can go though the different parts of the machines from your desktop without interrupting the user. You should be able to do most things that you could if you were running this locally on the PC except for the Device Manager which is in read-only mode.

Remote Registry Editing
Another less know feature of the registry editor is the ability to open a remote computers registry and make changes. To open the registry editor type regedit in your run box or command line, once it has open go to the File Menu and select Connect Network Registry… then just type in the name of the computer in the box and it should just open as another computer in the tree view. There are a few things to be aware of when editing another computers registry, you cannot undo your changes, so be sure you know what you are doing or the next call might be about the computer you just hosed by changing something you shouldn’t have. Also, the current user hive is sort of hard to find. It is under HKEY_USERS then it is probably something like S-1-5-XX-XXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXX, if you have multiple entries like this you will need to check the Volatile Environment key named SESSIONNAME, it is set to Console then that is the HKEY_CURRENT_USER hive. The local machine class is in the same place in both the remote registry and the local one.